Why Google is really offering an opt-out …

SEARCH BLOG

When I first saw the news of Google’s opt-out browser plug-in spread around Twitter I thought “hmm, I wondered when we’d see this” and moved on since opt-out is more or less an non-issue — basically because in the grand scheme of things nobody really opts-out. For all the hand-wringing and navel-gazing people do on the subject of privacy online, I have never, ever seen any data that indicates that web users actively opt-out of tracking in significant numbers.

Never.

If you have it, bring it on as I’d love to see it. But in my experience the only people really truly and actively interested in browser- or URL-based opt-out for tracking are privacy wonks, extreme bit-heads, and some Europeans. The privacy wonks and bit-heads are who they are and are unlikely to ever change; the Europeans have privacy concerns for other reasons but I will defer to Aurelie to try and make heads or tails of what those reasons are.

You do remember that Google Analytics comes at the amazing deficit reducing price of ABSOLUTELY FREE. Even a Republican can get his or her arms around that price tag, huh?

You betcha.

“Hey wait,” you say, “what about the fact that Federal web sites will probably never get permission to track visitors over multiple sessions?” Good point, except did you know you can override Google Analytics _setVisitorCookieTimeout() and_setCampaignCookieTimeout() variables and set their values to zero (“0”) which effectively converts all Google Analytics tracking cookies to session-only cookies?

Yep.

Not to mention that the little birds who sing songs in only hushed tones suggest that OMB is about to take a much more reasonable stance on visitor tracking anyway. This is not a done deal, but the situation that most Federal site managers work under today — one where many sites are more or less forced to use out-of-date log file analyzers and most are hamstrung in their ability to analyze multi-session behavior — seems to fly directly in the face of President Obama’s efforts to make government more transparent and effective.

Now, I could be wrong about all of this — I am human, and like Joe Stanhope I have not heard word-one from Google about the opt-out app — but I am pretty good at connecting dots and these are big, obvious dots:

Google loves data

Feds have tons of data

Feds have requirements necessitating privacy controls

Google builds privacy controls

Google gets Feds data

This is actually pretty brilliant of Google if you think about it. Assuming you’re with me in my belief that Google Analytics isn’t about AdWords or Analytics or anything other than Google’s desire to have all the world’s data, then you’ll surely see that providing Federal web site operators a web analytics solution that simultaneously solves a multitude of analysis problems AND saves money is, well, pretty freaking brilliant.

Another 3% are using Google Analytics with Omniture (1%) or Webtrends (2%)

6% are using Omniture (one, GSA.gov in tandem with Webtrends)

15% are using Webtrends (including GSA.gov in tandem with Omniture)

63% appear to have no hosted analytics of any kind

If I’m right the evidence will be obvious as more of these “no hosted analytics” sites begin to have Google Analytics tags. Sites like Census.gov, the EPA, FCC, FEMA, HUD, and even FTC might all start to take advantage of Google’s largesse (and willingness to provide a browser-based opt-out, don’t forget that!)

What do you think?

As always I welcome your thoughts, observations, reaction, and even anti-tracking-pro-privacy rants. If you are you a Federal site manager with insight to share but unable to voice your position publicly then out of respect I am happy to have you post anonymously as long as you provide a valid email address that I will confirm and then convert to “anon@anonymous.gov” to protect your identity.

30 Comments

Lee IsenseeMarch 21st, 2010

Eric,

Interesting article but you are assuming that the government is focusing on hosted solutions where page tagging is utilized.

While GA does provide a very appealing offering – who can argue with free? – the government is still a data driven group and the idea of aggregated/sampled data is not very attractive in that model.

My immediate thought was that this might be a covering action by Google with regard to the possibility that the EU may enforce cookie opt-in.

Google has never had an opt-out function until now and by doing this they can say “well hey people can opt out from any GA tracking via their browser” where they couldn’t before.

If there are other added benefits like federal data access then it is indeed a smart move by Google.

My perspective on European privacy concerns is that it’s all about the education and Internet maturity of different markets. In Europe some markets fear it breaks their laws (Germany) or is invasive (UK – Phorm). High profile privacy violations and leaks make the news in Europe because standard tech journalists don’t understand the difference between a cookie and deep packet inspection with browser history mirroring tied to a cookie (phorm). The panic comes from the same variable….COOKIE!!!

When this makes the news it sensationalizes things and it gets out of hand. Politicians get written to and use privacy to serve their own political careers rather than acting sensibly in some cases.

It’s a cultural thing as well. I mentioned the UK & Germany – just comparing them to the US for a second shows the differences and why the problems exist.

The US is multi-cultural but you’re all US citizens and value freedom and competitiveness at the core of your nature (in my opinion). If privacy makes you less competitive then privacy will be adjusted where possible to suit competitiveness (like what Google or Facebook are doing – is that fair? again my opinion).

The Germans are detail orientated and if their laws or regulations are being compromised then they will either change the laws or enforce them depending on what is the most practical thing to do. The point being if the Germans have had a regulation then there had better be a superb reason to change the rule. This will be scrutinized carefully by detail orientated Germans. The information age makes that a global concern but the Germans have been doing that since they were German! And quite successfully thank you very many!

The Brits are a bit like the US but fiercely proud of their independence and resist the EU on all matters cultural, from losing the pound note to following the metric system (we still talk inches and ounces). Our American cousins lead the way but we follow cos it’s best for the Empire to follow; God save the Queen!

Getting legal & political agreement on anything in Europe takes a lot of discussion, has a variety of cultural values and legal history as hurdles. Getting agreement in the US is simply a matter of whether it makes financial sense to everyone concerned and doesn’t do any real damage (or real damage can be circumvented by introducing a new law).

I know it’s not as simple as that and I’m not saying the US is always driven by financial reasons but culturally speaking you don’t have multiple ancient histories or borders to worry about.

My hope is that by taking a stand on privacy concerns as Google have done (even if it’s for selfish reasons) they will help pacify the European markets and stop stupid laws like one I linked to (WSJ above) ever needing to be passed.

I do think all vendors should offer the possibility to opt out, but I also believe that the only ones actively opting out are the ones who 1) has enough technical understanding and 2) are more or less paranoid. The vast majority of users don’t even consider that possibility that their actions may be analyzed.

Still, I definitely respect everyone’s right to privacy.

For that reason, and due to the fact the Germany was giving GA a ridicullously hard time, we built a small piece of code that website owners could use to offer their visitors the possibility to opt out.

Personally, I’m confused that GA has been pointed out to be more “evil” than the rest. If anything their TOS limits the privacy risk more than most vendors.

As a sidenote, The Swedish Data Inspection Board has been using Google Analytics on its website for years. Their mission statement: “The Data Inspection Board is a public authority. Our task is to protect the individual’s privacy in the information society without unnecessarily preventing or complicating the use of new technology.”

Lars JohanssonMarch 21st, 2010

Steve,

Two things to remember:

1) The Germans have singled out Google specifically. I don’t know that it’s about analytics as much as it is about finding any way possible to take a hit at Google. There are are other vendors who do not offer the possibility to opt out.

2) Authorities in the US seem to have *stricter* rules than their European counterparts (that I’m aware of) for their own websites.

Here’s one of those strange Europeans (Germans) that is fighting with privacy fears and authorities that called Google Analytics and similar tools illegal. Your post is great, I agree with most, but you might speak a little less condescendingly about the privacy wonks, because they might look at this as a proof that web analysts don’t really care about privacy.

The fear remains that Google joins the cookie and IP data obtained through Analytics with the data obtained through its other services (Gmail etc.). With the mass of websites using Google Analytics, they COULD get pretty much complete and personal user browsing profiles. And the way you wrote it, this is the reason why Google has Google Analytics.

The way you put it, I don’t think anymore that the European “privacy wonks” (to use your terms) are the reason anymore why Google comes up with this browser plugin.
I was hoping for Google to react to the privacy authorities outlawing GA here.

But a browser plugin is not an answer to that. That will only make European privacy authorities laugh, and I don’t think Google is so stupid that they wouldn’t know about that.

Why is a browser plugin laughable?
1. There are already browser plugins that block Google Analytics cookies already, so if someone knows how to install browser plugins (which I think is a clear minority of users) can use Customize Google (downloaded by 10 million people already)) or (Counterpixel).
2. Asking the user to install a browser plugin if he doesn’t want his IP address and browsing behavior sent to Google – that is really plain ridiculous in the eyes of the privacy authorities, to whom tracking should have to be opted in.

Although I am not a privacy wonk, I also do not think that requiring a browser plugin to opt out is a user-friendly way to do it.

So I am still hoping for Google to react to this privacy stuff around here before the German lawyers start admonishing. Why don’t they just stop storing IP addresses for example?

Lars JohanssonMarch 21st, 2010

Lukas,

Thank you for adding to the discussion. I assume you don’t find the possibility to opt out offered by Omniture and Coremetrics (mentioned above) sufficient either. Correct?

Maybe the best thing for people who are that afraid would be to avoid Gmail and Google search? There’s a search engine called Altavista that would really appreciate some traffic. 😉

On a more serious note, what would be an acceptable solution (in Germany)? Are Webtrends, Omniture, Coremetrics, Unica, etc. living up to it?

Cheers,
Lars Johansson

JudahMarch 22nd, 2010

Re: bitheads. One has always been able to opt-out of GA (or any other page tag based WA solution) on a PC by setting http://www.google-analytics.com to your loopback address (127.0.0.1) in your hosts file… 😉

AlvinMarch 21st, 2010

The true victims of this “GA Opt-out” plan are those small-medium business who wants to optimize website and improve business through this free solution.

If Google truly care about user’s privacy, it should also allow users to opt-out of GMAIL, CHAT, GOOGLE SEARCH ENGINE through one click too.

I can see that once regular (non-technical) users are educated on this “opt-out” option, they will definitely go for it. If we trace back to the history of firewall and other security settings, we know that majority of these regular users try hard to protect their privacy. This ten-year-old article below showed that majority of American internet users wanted privacy but did not understand the mechanism. If Google starts educating its users and making it easy to opt-out through one click (without deleting cookies, etc), GA will lose its business value very soon.

On your first point I don’t have evidence that Germany wants to bash Google but if you have more info then I’m all ears. I believe it’s because Google have the majority of Analytics implementations and Germans have focused their efforts on what they consider to be the biggest problem (rather than smaller vendors). The ubiquity of Google in Germany and as Lukas mentioned the possibility (all be it faint) to tie IP to Gmail which brings in potential PII problems.

On your second point I haven’t really seen the stricter regulations you’re talking about but again am all ears. Ok Privacy policies seem to be longer and have more lawspeak I’ll give you that but aside from that I don’t see it. Interested in a US opinion here.

Regardless though it doesn’t really matter whether they are stricter than Europe at the moment, the fact is that the US have unanimous agreement on privacy at a legal level, something Europe has still to settle.

How many legal perspectives do we have in Europe? 26? 27? Just getting the right people in the same room will take years! 🙂

I think the discussion should change to what we as analytics folks want in Europe actually rather than what individual nations or the EU are doing (or trying to do).

Personally I’d want Europe to accept cookies and IP tracking across sessions as the defacto standard whilst keeping complete privacy for PII. The only time PII should be passed is when the user has consciously logged in (IE Amazon).

[…] I read Eric’s blog post about why Google is really offering opt-out, it made me smile. As usual, he is controversial like no one can be – makes me kind of proud […]

AnonymousMarch 23rd, 2010

For years, in internal communities federal web managers have been clamoring for persistent cookies to improve site metrics. A few have even succeeded in obtaining the high-level approval OMB requires to do so. And we never have enough budget to pay for something we can get for free – which is as much a reason as any other why so many federal agencies are still using web log analyzers. There’s no question that there will be a large movement to GA as soon as there is no longer any prohibition against using it. And those currently selling analytics solutions to feds have are well aware of this.

[…] had probably the most complete coverage of the issue, with some astute observations regarding Google’s privacy motives being tied to their interest in collecting data from US federal government […]

Well I have to say I think you’re onto something. I’ve been waiting for someone really to cover this story but there hasn’t been a lot of fanfare. Mostly just the stuff that Beal and other have posted.

Google is always a few steps ahead of the game so I suspect you’re probably dead-on. Great post and insight!

@Lars: Sorry, I didn’t read your post earlier. I am (unfortunately) not familiar with too many other web analytics tools, but I do know that there ARE certainly companies that offer solutions that are according to the German privacy law (Nedstat, etracker etc.).

Like Brian says, as long as the IP address is not being handed over to third-party companies outside the European Union (like Google), everything is fine (I am not a lawyer, but that’s how I understand it…). If you take this thought further, it makes it even illegal embedding a YouTube video on a web page, because that way the IP address is also being sent to a third-party outside of Europe (Google again). But I guess with youtube it is not that bad because it’s not on every page and probably doesn’t serve you as much as Analytics data if you want to generate a user profile based on browsing behaviour.

@Steve Jackson:
“How many legal perspectives do we have in Europe? 26? 27? Just getting the right people in the same room will take years! 🙂 ”

==> This is true. Even within Germany, there are courts that have ruled GA and saving of IP addresses illegal and Courts that haven’t.

“Personally I’d want Europe to accept cookies and IP tracking across sessions as the defacto standard whilst keeping complete privacy for PII. The only time PII should be passed is when the user has consciously logged in (IE Amazon). Do Analytics people in Europe agree with the above?”

==> Well, the problem is that it seems like the opinion that probably has a slight majority of followers, at least in German law, is that IP addresses ARE Personally Identifiable Information. That’s why the whole problem occurs of sharing IP addresses with third parties without previous user consent. To me, that’s kind of hilarious, but then again, there are cases where criminals could be identified through to their IP address, so that is a tough question.

Best,
Lukas

Google Analytics Opt-Out | BrettMBell.comMarch 24th, 2010

[…] Eric Peters suggests that Google are merely doing it merely to meet US government requires so Google Analytics can be used on federal websites. I suspect he may be correct. […]

Basically the U.S. Office of Management and Budget (OMB) will be announcing the new cookie rules on April 7th. I can’t say for sure but I suspect this will be the beginning of the “Googleization” of analytics in the Federal Government. Time will tell.

another approach: A Google opt-out plugin for browsers offers Google the opportunity to install software on lots of computers.
If you use the Google toolbar, you probably have no concerns about privacy. But other people could be convinced to use maybe another Google service, if it’s convinient enough to do so.
So I assume, the plugin will get more and more different features regarding whatever services Google is offering.

Fascinating post, Eric, and I believe accurate. Our government – and those little birds – deserve behavioral web analytics. If this is how 63% of our government agencies begin that journey then we are moving happily towards a culture of measurement.

That the OMB is “about to take a much more reasonable stance on visitor tracking anyway” is motivated in part by Obama’s memo from 1/21/09 about creating a Transparency and Open Government: http://bit.ly/dipBhM

And for those of us interested in tracking satisfaction with government agencies, there is the recent inaugural E-Government Transparency Index was published by ForeSee Results. Social Security Website Better Than Amazon, Google and Netflix! (Not kidding) http://bit.ly/aC525O

But, I would go further to say that it is necessary to ensure:
* user-trust
* user-choice
* user-transparency

Google only has one brand & the loss of trust in one Google product (e.g. Google Buzz) could have collateral damage on other products, such as Gmail, GA or the hole grail… Google Search.

Any plug-in or tools that re-enforce the walls around Google`s paid search cash cow is to be expected. The privacy dashboard was another step in this direction & more add-on such as this will follow.

I suspect that Google is trying to fend-off the FTC investigation into Buzz, they do not want this to expand into other products such as GA, orkut, youtube or Adwords:
“Federal Trade Commissioner Pamela Jones Harbour said technology companies are setting a dangerous precedent of publicly exposing consumer data”…”spokesman for Google said that the company cares about privacy, citing its creation of tools to help users understand & control information online”
blogs.wsj.com/digits/2010/03/17/google-buzz-exemplifies-privacy-problems-ftc-commissioner-says/

Plus, their is a cross-domains cookie functions build into GA, which if combined with secondTracker can also be used in a similar way to a 3rd party cookie:
code.google.com/apis/analytics/docs/tracking/gaTrackingSite.html#multipleDomains

I suspect if GoogleWebSiteOptimiser is upgraded to allow for targeting of return visitors via the cookie (or optimising for visitor segments) then a stronger GA cookie the opt-out will be necessary.

Anti-virus & anti-malware companies have historically not blocked or deleted the GA cookie, if the cookie starts being used for targeting they could flag it as a “bad cookie”… unless GA brings out options to easily control the cookie in the browser.

The FF add-on may be a prequel to browser integration; I wonder if the next version of Chrome or FireFox will come with a GA opt-out screen built into the software? (not just via the incognito mode)

Google have a FireFox extension for the DoubleClick opt-out, so the GA extension is probable a just re-purposed version of this code.
* google.com/ads/preferences/plugin/

Note: With the exception of Yahoo Accounts login, these preferences are lost if cookies are cleared. Hence the need for a FF extension, Browser integration or google toolbar method.

I have not seen the Beta FF extension, but I am interested to know…

* is urchin gif also blocked?
* is it a global setting or are individual sites blocked?
* does the FF extension also show the contents of the cookie, in an easy to read way (like wasp) or is it just an on or off button?
* is a new ga.js functions to deleteTrafficforVisitCode() going to be added to ga.js to prevent processing of a visitor gif request prior to opting-out, or it this technically not feasible?
* Is GA moving towards using the customerID rather than cookieID for tracking sessions visits across multiple browsers & devices, and would it integrate the opt-out with google accounts as Yahoo have done?
* How many ga-to-adwords imported conversion will be lost by introducing this tool & will this result in GoogleConversionOptimiser automatically reducing bid prices as a result?
* Will all GA webmasters need to update their privacy policy with a link to the opt-out FF extension, and would GA need to set-up a spider to check for the existence of this link?
* Would GA every be forced to introduce an adopt opt-in extension rather than an opt-out, and is this plugin a means to half-way silence the German bureaucrats?

Thanks

Phil (from London, UK).

Other Notes:

* Impact of the Buzz privacy crisis according to viralheat.com social analysis: (positive vs negative tweets over time)
cdn.mashable.com/wp-content/uploads/2010/02/googlebuzzprivacy.jpg
mashable.com/2010/02/22/google-buzz-graph/

There has been a rise in searches for “google analytics login” over the last 30days in the UK. I saw a similar rise in “google adwords logins” last year, around the time when their was a bunch of adwords phishing emails sent out. So the tracking opt-out might be part of a wider policy to protect the google account login which uses the same username & password to access GA.
google.com/insights/search/#cat=675&geo=GB&date=today%201-m&cmpt=q

Why on earth should I trust a 3rd party to handle the opting out when I can use noscript and opt out for real on my own?

Cmcore boxing | 2p-techMarch 4th, 2011

[…] Why Google is really offering an opt-out … | Web AnalyticsWhen I first saw the news of Google’s opt-out browser plug-in spread around Twitter I thought “hmm, I wondered when we’d see this” and moved on since opt-out is more or less an non-issue — basically because in For all the hand-wringing and navel-gazing people do on the subject of privacy online, … If you have it, […]

You use Google Analytics yourself (and AddtoAny) – is that because there are no alternatives? Or are alternatives expensive, not easy to find, not easy to install, operate?

Do you / readers know smart alternatives to GA, and price ranges?

It’s not logic that companies don’t want to keep visitor data to itself. From a marketing / sales point of view it’s the most stupid thing to do to hand out valuable customer information for free to a competitor, with all rights, to sell, exchange etc.

Another point:
In Europe new laws are on the way that give users the right to refuse being tracked online. So even if US website-owners laugh about European attitudes on privacy, when they want to keep on ‘publishing’ their websites within the European Union, they have to prepare opt-in tools and develop business-models that bring profit without data-tracking

[…] wonders why Google has decided that that now is the time to do itA very interesting blog post by Eric Peterson suggests it is a way of Google maintaining and increasing its ability to accumulate data – […]

Dave LoganMay 5th, 2016

It’s irrelevant if the browser cookies negatively affect me or my system. I don’t care if they’re 110% harmless. If they’re there purely to make money for someone else, I don’t want them. It’s that simple.

Eric T. Peterson is author of Web Analytics Demystified, Web Site Measurement Hacks and The Big Book of Key Performance Indicators and a long-time member of the web analytics community. He frequently presents on web analytics and is often cited in articles about digital measurement. In the past Mr. Peterson has worked with well-known brands like Microsoft, HP, Cisco, Best Buy, Disney, LEGO, CBS and CBS News, and ESPN. More recently, Mr. Peterson has founded The Analysis Exchange, a completely new way to gain experience with digital measurement.
As an employee of Analytics Demystified Eric is a member of the Digital Analytics Association (DAA), an Adobe Business Partner, and a Google Analytics Certified Partner.